Jump to content
Tuts 4 You


Popular Content

Showing content with the highest reputation since 02/22/2018 in all areas

  1. 12 points
    Hi! This is my first post on tuts4 you I hope that this is the right section, if not, please delete this post! Ok so... Few months ago I have made public my internal project called REDasm on GitHub. Basically it's a cross platform disassembler with an interactive listing (but it's still far, if compared to IDA's one) and it can be extended with its API in order to support new formats, assemblers and analyzers. Currently it supports: Portable Executable VB5/6 decompilation . It can detect Delphi executables, a decompiler is WIP. .NET support is WIP. Debug symbols are displayed, if available. ELF Executables Debug symbols are displayd, if available. DEX Executables Debug symbols are displayed, if available. x86 and x86_64 is supported. MIPS is supported and partially emulated. ARM support is implemented but still WIP. Dalvik assembler is supported. Most common assemblers are implemented by using Capstone library, Dalvik assembler is written manually and even the upcoming MSIL/CIL assembler will be implemented manually. The entire project is written in C++ and its UI is implemented with Qt5, internally, the disassembler is separated in two parts: LibREDasm and UI. LibREDasm doesn't contains any UI related dependencies, it's just pure C++, one day I will split it in two separate projects. Some links with source code, nightlies and wiki: Source Code: https://github.com/REDasmOrg/REDasm Nightly Builds (for Windows and Linux): https://github.com/REDasmOrg/REDasm-Builds Wiki: https://github.com/REDasmOrg/REDasm/wiki And some screenshots:
  2. 9 points
    Unpackers tools - source code C# My source code: https://gitlab.com/CodeCracker https://github.com/CodeCrackerSND https://bitbucket.org/CodeCrackerSND/ I will NOT share (anymore) the rest of my tools!
  3. 8 points
    A plugin to copy a selected disassembly range in the x64dbg cpu view tab and convert to a masm compatible style assembler code and output to clipboard or the reference view tab. Features Copy selected range to assembler style code. Outputs assembler code to clipboard or reference view. Adds labels for jump destinations. Adjusts jump instructions to point to added labels. Indicates if jump destinations are outside selection range. Code comments to indicate start/end and outside range. Options to adjust comments and label outputs. Format hex values as C style (0x) or Masm style. Registered commands: CopyToAsmClip (ctac) and CopyToAsmRef (ctar) How To Install Copy the CopyToAsm.dp32 file to your x64dbg\x32\plugins folder Copy the CopyToAsm.dp64 file to your x64dbg\x64\plugins folder How To Use Open x64dbg Open target Select lines of disassembly in the cpu tab window Select CopyToAsm plugin Select copy to clipboard (or copy to reference view tab) Paste into text document (if previously copied to clipboard) Project Pages https://github.com/mrfearless/CopyToAsm-Plugin-x86 https://github.com/mrfearless/CopyToAsm-Plugin-x64 Downloads CopyToAsm-Plugin-x86 CopyToAsm-Plugin-x64 Some screenshots See wiki example for more details: szLen example Raw x64dbg disassembly of szLen function of masm32 library: Copied and processed asm code pasted to clipboard:
  4. 7 points
    Protected with ConfuserEx + Eaz + ConfuserEx + ILProtector + Enigma Virtual Box Unpacked file and keygen attached KeyGen_CrackME.zip CrackMe_unpacked_devirtualized_cleaned.zip
  5. 6 points
    Hello. Who the heck designed the new security requirements as far as passwords for this forum? Its absolutely insane. This time I submit a fully devirtualized version of the aforementioned crackme for the 64 bit version of VMP. Of course, I didn't work on this entirely by myself, it was more like a joint project with other reversers that are no strangers to this forum. Because we all had the same interests (code deobfuscation/VMs devirtualization/Unpacking) we decide to create our own group, where we essentially reverse some well known protectors for PE files. Current group members: @fvrmatteo @SmilingWolf @mrexodia @xSRTsect @Raham @root @Downpour People involved in the coding of the 64 bit VMP devirtualization tool: @fvrmatteo, @SmilingWolf, @mrexodia, @xSRTsect. The tools will never be released. There is a tiny chance that an outsider can join our group IFF you have pwned an interesting protector and you are willing to share your insight with our group or you are willing to impress us with some mad unpacking / deobfuscation skills. Best Regards, The European Reversers Alliance. Edit: Added gay @ symbols to the nicknames (some people really wanted that). And added a more gay version of the devirtualized binary which is essentially the same but with the devirtualized functions linked statically. devirtualized.rar inlined_version_ERA.7z
  6. 5 points
    Reverse-Engineering WebAssembly binaries: https://www.forcepoint.com/blog/security-labs/analyzing-webassembly-binaries Best Regards, Evilcry
  7. 5 points

    Version 1.0.0


    hotkeys: m: (play/stop music) f1: (switch fullscreen/windows) f3: (nfo reader) elite: (hidden part) esc: (quit)
  8. 5 points
    Here you go: https://crackmes.one/ BR, Evilcry
  9. 5 points
    intel x86 / x64 opcode reference manuals (i think you can download them in pdf form on their site somewhere) then writing some apps in asm to get a grip for masm etc, or in c and then debug them to see how things work then lena's tuts (i've never used them though, i taught myself a long time ago, where i'd dl the opcode ref's and study them offline (inet connection was a rarity at the time for me)) pencil (to undo mistakes) and paper, to make notes, and lots of them tools like hiew, ida (never really liked ida too much as i thought it was slow), olly, x64dbg etc etc and referencing sites like this one, the masm32 site, woodmann and some others time and patience, and doing some homework before asking for help / pointers (i usually wont help people who want to get everything spoonfed to them or ask for videos etc or think they're somehow entitled)
  10. 5 points
    @unavailable: Don't give up! The success is by perseverance!! Cracking is a long process. I lost my interest on cracking programs, but I will still make some RE tools and try to help people the way I can.
  11. 5 points
    Hi In this method we're using dlls as loader, Some system files(I'm just tested dll files) can load from outside of system directory so we can use them to patch files !! Most "Delphi" and "Dotnet applications" loads "version.dll" by default so we can use this file as loader for them ! Best Regards, h4sh3m version.rar
  12. 5 points
    Crashing on my Win10 inside VMware as well. Windows Defender stopped, no other AV. It's a perfect protection - if nobody can run it, nobody can crack it.
  13. 5 points
  14. 4 points



    Many of you may be amazed at Guru LCF-AT's script "VMProtect API Turbo Tracer 1.2". But for most of the newbies, just like me, you may have a lot of problems in getting the script work properly in your own Ollydbg. LCF-AT already uploaded a lot of Ollydbg setting information togehter with the script to help us fix those Ollydbg problems, but there are too many details. Yes, I suffered a lot at the inital stage when I was trying to use "VMProtect API Turbo Tracer 1.1" by my chinese version "Terminator Ollydbg 1.1.0". Under LCF-AT's kind help, I created this basic version Ollydbg 1.1.0, which is specially for running "VMProtect API Turbo Tracer 1.1". And it works smoothly in my laptop, with Windows XP Professional SP3. If you like, get it and give it a try. Enjoy Cracking!!
  15. 4 points
    To store all the paths you could use an INI-File with a structure like: [Settings] Count = Number of paths [0] Path = Path to the program to execute Param = Parameter value ... You could read the Count and Param value with GetPrivateProfileInt and the path with GetPrivateProfileString. To store the path and parameter you can create a structure in MASM that holds both values and allocate memory to store the stuff inside. After loading the INI-File you can iterate through your array and compare the Param attribute and execute the program if it's a match. This may not be the best solution but it should be pretty simple.
  16. 4 points
  17. 4 points
    ..and with one known key it's perfectly solvable. All credits go to @Reza-HNA for deobfuscating the keygenme. After that, it was a piece of cake. Keygen is not obfuscated in any way, so anyone can take a look how it's done. keygen for Newbe KeygenMe1.zip
  18. 4 points
    You didn't do that right. Try again. Malware copies itself to %AppData%\Roaming\ProSoft\ProSoft.exe Then it creates svchost.exe process, decrypts the actual password stealer and injects it there. Password steal will connect to secure.jagexlaucher.top and send stolen data. That's all you need to know to analyze it.
  19. 4 points
    See ECMA335, read ".NET IL Assembler" by Serge Lidin or search .NET Core for ENC_MODEL_STREAM_A "#~" is the standard "compressed" stream. "#-" is an "uncompressed/unoptimized" stream that can contain deleted items, items from edit-and-continue operation in VS, etc.
  20. 4 points
    The best thing I ever did was delete my Facebook account the other year. That empowered me to take back control of my privacy! Ted.
  21. 4 points
  22. 4 points

    Version 1.7


    REPT KeyGen Maker is an utility to make keygens easily without having a programming knowledges. Please report any bug/improve to make it better This is currently done in .NET so will need .NET Framework 3.5 or higher. Thanks for download it!
  23. 3 points
    The downside to a game like this is that if its ever meant to be taken serious in an online manner, its too insecure. Things are ran and handled entirely on the client end. (I'm not sure if this is intended to be online/multiplayer in the full game etc.) For example, the game uses a 'Sanity' meter to track your movement allowance. You can skin the main .js file to find how the game interacts with this value. Once you find what you need, in this case for Sanity, you can just open the browsers interactive console and change the values as you wish, such as: this.main.party.changeSanity(100); Which will put you at max Sanity. Because of this using JavaScript, you can self-host a web browser control in an application and continuiously inject new JavaScript into the games state. You can take over the sanity entirely and just keep it at max anytime the game tries to use it by completely overriding a function that uses it, like this changeSanity function. The console print out of the function is simple: ƒ (d,a){var c;a=this.sanity;this.sanity=(this.sanity+d).clamp(0,this.maxSanity);d=this.sanity-a;0<this.sanity&&null!=(c=this.main.exped)&&c.resetSanityTurns();return d} You can simply just reset this function to do what you want with the sanity value instead such as: this.main.party.changeSanity = function(d,a) { var c; this.sanity = this.maxSanity; c=this.main.exped; c.resetSanityTurns(); return this.maxSanity; } And now anytime you move you have max sanity. Interesting idea to make a full on game like this but in terms of hacking it, HTML/JavaScript is super insecure for things like this. Validation would need to happen constantly on the server end to ensure data is not tampered with which costs a ton in resources on the server end with potential millions of players all having to be constantly sync'd and validated against the server.
  24. 3 points
    Really depends on what you want. First things first - "free" obfuscators for .NET don't do protection very well. At best they just rename the classes of your assembly, at worst they do absolutely nothing at all. When it comes to paid obfuscators, here is your options - they are bound to change as protection schemes get cracked and patched. Low End: .NETGuard is most likely your best option if you want low price protection. It does quite a nice job - when it actually works. It has a lot of issues with program compatibility & certain features not working on certain PCs, but the devs are still working on it. Medium End: ILProtector is quite good to stop script kiddies from reversing your assemblies, but recent unpackers (such as my own) have made it less worthwhile. Babel.NET's obfuscator also looks quite promising for about the same price. High End: Eazfuscator.NET is the obvious choice here. Its managed virtualization is the best on the market (as of now), and is quite difficult to deobfuscate. It also has extremely easy integration with VS and it works on almost any assembly. The only problem is that its control flow obfuscation is absolute shit and its string encryption has been broken by de4dot. I have also heard of an obfuscator named DNGuard HVM, which has a native VM obfuscation - but it is insanely expensive. There is also a few obfuscators which I recommend for you to avoid - here is the list: SmartAssembly - Its protection is complete crap (unpackable by de4dot) and is also more expensive then EAZ. Don't waste your money. .NET Reactor - Latest version is fully broken by de4dot. The project does not seem all too active also. Agile.NET - Another super expensive obfuscator that has been cracked by de4dot & is inactive. If you are going to be spending this amount of money, you are better off buying DNGuard. CryptoObfuscator - Completely broken by de4dot & inactive. Appfuscator - As of now a unpacker exists for this, but it might change at some point. Right now I suggest you to avoid until they patch their protection. Of course, all of these schemes are bound to be cracked at some point. The best protection is always to make it yourself. Custom protection is always the hardest and annoying to crack, as a cracker has no idea how the scheme works and must figure that out at their own peril.
  25. 3 points
    First you say Themida is trashtier, then you pick a far inferior packer and state that it is better..? People need to start realizing, that if you have no clue what you're talking about, you should either start your sentence with "I assume" or you shouldn't say anything at all. Silence is bliss. VMProtect is actually rather bad, as the virtual machine in VMProtect is really easy to crack. If you have to choose between Themida and VMProtect, you should always pick Themida. Why? Because Themidas virtual machines are much more advanced and much harder to crack than VMProtect. Themida was initially known for their CISC VM which was (at the time) very strong. It has since been defeated (by Deathway) and is now considered weak (since it's actually rather simple once you start to understand it). VMProtect's virtual machine is almost an exact replica of the Themida CISC VM featuring stronger obfuscation, and as such it works in the exact same way, which makes it (almost) equally weak. Since then, Themida developed the RISC machine (RISC64 and RISC128), which was against defeated by Deathway. They then proceeded to develop the FISH and TIGER machines, which features very new tricks such as complex combined handlers (FISH) doing multiple operations each instead of a handler for each operation like CISC had, and also internal (yet simple) cryptography. The TIGER VM is very similar to the FISH VM (since it is built on the same engine), but doesn't utilize the cryptographic internal registers, etc. Themida also features hybrid virtual machines, such as SHARK, which is FISH virtualized by TIGER, or PUMA, which is TIGER virtualized by FISH. The newest machine(s) from Themida is the DOLPHIN machine, which is yet another layer of complexity upon the newer FISH/TIGER engine, while also supplying a hybrid VM called EAGLE, which is FISH virtualized by DOLPHIN (if memory serves right). If you want to compare the complexity of the newer Themida VMs (e.g. EAGLE) vs. VMProtect's VM, you're probably looking at a complexity scale saying 15:1 or something like that. TL;DR Don't listen to the guys above, as they are completely clueless on the topic. Pick Themida if you have to choose between the two of them.
  • Newsletter

    Want to keep up to date with all our latest news and information?

    Sign Up